Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-jdsk-9fw6-buhu
Vulnerability ID VCID-jdsk-9fw6-buhu
Aliases CVE-2025-45406
GHSA-49jm-g4m8-x53p
Summary A stored cross-site scripting (XSS) vulnerability in CodeIgniter4 v4.6.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the debugbar_time parameter. NOTE: this is disputed by the Supplier because attackers cannot influence the value of debugbar_time, and because debugbar-related data is automatically escaped by the CodeIgniter Parser class.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00207 https://api.first.org/data/v1/epss?cve=CVE-2025-45406
epss 0.00207 https://api.first.org/data/v1/epss?cve=CVE-2025-45406
cvssv3.1 6.1 https://github.com/advisories/GHSA-7h5r-54mm-w4pq
ssvc Track https://github.com/advisories/GHSA-7h5r-54mm-w4pq
cvssv3.1 6.1 https://github.com/codeigniter4/CodeIgniter4
generic_textual MODERATE https://github.com/codeigniter4/CodeIgniter4
cvssv3.1 6.1 https://github.com/codeigniter4/CodeIgniter4/blob/v4.6.2/system/Debug/Toolbar.php#L496
generic_textual MODERATE https://github.com/codeigniter4/CodeIgniter4/blob/v4.6.2/system/Debug/Toolbar.php#L496
cvssv3.1 6.1 https://github.com/codeigniter4/framework/blob/v4.6.2/system/Debug/Toolbar.php#L496
generic_textual MODERATE https://github.com/codeigniter4/framework/blob/v4.6.2/system/Debug/Toolbar.php#L496
cvssv3.1 6.1 https://medium.com/@talktoshweta0/when-debugging-bites-back-exposing-a-persistent-xss-in-codeigniter4-c9caf804a190
generic_textual MODERATE https://medium.com/@talktoshweta0/when-debugging-bites-back-exposing-a-persistent-xss-in-codeigniter4-c9caf804a190
ssvc Track https://medium.com/@talktoshweta0/when-debugging-bites-back-exposing-a-persistent-xss-in-codeigniter4-c9caf804a190
cvssv3.1 6.1 https://nvd.nist.gov/vuln/detail/CVE-2020-15943
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2020-15943
ssvc Track https://nvd.nist.gov/vuln/detail/CVE-2020-15943
cvssv3.1 6.1 https://nvd.nist.gov/vuln/detail/CVE-2025-45406
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2025-45406
cvssv3.1 6.1 https://www.exploit-db.com/exploits/50556
generic_textual MODERATE https://www.exploit-db.com/exploits/50556
ssvc Track https://www.exploit-db.com/exploits/50556
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2025-45406
https://github.com/codeigniter4/CodeIgniter4
https://github.com/codeigniter4/CodeIgniter4/blob/v4.6.2/system/Debug/Toolbar.php#L496
https://github.com/codeigniter4/framework/blob/v4.6.2/system/Debug/Toolbar.php#L496
https://nvd.nist.gov/vuln/detail/CVE-2025-45406
50556 https://www.exploit-db.com/exploits/50556
CVE-2020-15943 https://nvd.nist.gov/vuln/detail/CVE-2020-15943
GHSA-49jm-g4m8-x53p https://github.com/advisories/GHSA-49jm-g4m8-x53p
GHSA-7h5r-54mm-w4pq https://github.com/advisories/GHSA-7h5r-54mm-w4pq
when-debugging-bites-back-exposing-a-persistent-xss-in-codeigniter4-c9caf804a190 https://medium.com/@talktoshweta0/when-debugging-bites-back-exposing-a-persistent-xss-in-codeigniter4-c9caf804a190
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/advisories/GHSA-7h5r-54mm-w4pq
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-25T20:27:59Z/ Found at https://github.com/advisories/GHSA-7h5r-54mm-w4pq
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/codeigniter4/CodeIgniter4
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/codeigniter4/CodeIgniter4/blob/v4.6.2/system/Debug/Toolbar.php#L496
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/codeigniter4/framework/blob/v4.6.2/system/Debug/Toolbar.php#L496
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://medium.com/@talktoshweta0/when-debugging-bites-back-exposing-a-persistent-xss-in-codeigniter4-c9caf804a190
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-25T20:27:59Z/ Found at https://medium.com/@talktoshweta0/when-debugging-bites-back-exposing-a-persistent-xss-in-codeigniter4-c9caf804a190
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2020-15943
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-25T20:27:59Z/ Found at https://nvd.nist.gov/vuln/detail/CVE-2020-15943
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2025-45406
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://www.exploit-db.com/exploits/50556
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-25T20:27:59Z/ Found at https://www.exploit-db.com/exploits/50556
Exploit Prediction Scoring System (EPSS)
Percentile 0.43174
EPSS Score 0.00207
Published At June 11, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-11T17:03:37.688902+00:00 Vulnrichment Import https://github.com/cisagov/vulnrichment/blob/develop/2025/45xxx/CVE-2025-45406.json 38.6.0